(RADIATOR) AuthBy SQL - Accounting Only (no auth)


Thu May 15 15:29:18 CDT 2003 

Ok, I see.  I'll try this (along with Matt's Handler recommendation).
Luckily it's not production yet so I can still play around with different
approaches...

- MBM

-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: Tuesday, May 13, 2003 9:45 PM
To: Motley, Mark
Cc: radiator at open.com.au
Subject: Re: (RADIATOR) AuthBy SQL - Accounting Only (no auth)


Hello Mark -

You will need to use the AuthBy GROUP construct to be able to apply
different AuthByPolicy's.

Something like this:

# define AuthBy clauses

<AuthBy SQL>
	Identifier SQLAccounting
	DBSource        dbi:mysql:radius:<blah>
       	DBUsername      radiator
       	DBAuth          <blah>

	# Just accounting, no auth

	IgnoreAuthentication
	AuthSelect

	AccountingTable	ACCOUNTING
	AcctColumnDef	<blah blah blah>
	AcctColumnDef	...
</AuthBy>

<AuthBy ADSI>
	Identifier CheckADSI
	[ ADSI config goes here, works fine ]
</AuthBy>

<AuthBy NT>
	Identifier CheckNT
	[ NT domain config here, works fine ]
</AuthBy>

# define AuthBy GROUP

<AuthBy GROUP>
	Identifier CheckUser
	AuthByPolicy ContinueUntilAccept
	AuthBy CheckNT
	AuthBy CheckADSI
</AuthBy>

# define Realm's

<Realm DEFAULT>
	AuthByPolicy ContinueAlways
	AuthBy SQLAccounting
	AuthBy CheckUsers
	.....
</Realm>

Hope that helps.

regards

Hugh

> Hi folks,
>
> I've searched through the archives and am still having some
> difficulties
> with accounting information to a SQL database (without authenticating
> against the SQL database).  I've seen some posts that are close, but my
> situation is a bit unique (aren't they all?)
>
> My company is transitioning from a Windows NT domain to Active
> Directory.
> Because of this, I need to be able to authenticate against both ADSI
> and NT.
> Basically, ADSI is tried first, followed by NT.  Because of this, I
> have:
>
> AuthByPolicy	ContinueWhileReject
>
> in my config file, so it will continue down the line until done (but
> stop
> once the user is authenticated).  In essence, if the user is found in
> AD
> (via ADSI), authentication stops and the Authby NT is never tried.
> This
> works just fine.
>
> In the examples I've seen on the list archives, the AuthByPolicy is
> set to
> "ContinueAlways", which I don't think will work for our situation
> (correct
> me if I'm wrong please).
>
> So, I put an AuthBy SQL section in my config file.  Since I want
> authentication to be ignored for this clause, I add
> "IgnoreAuthentication".
> Accounting DOES work, however it would appear that the AuthBy SQL
> clause is
> still trying to do authentication even though I've told it NOT to.
> With
> this section, ADSI or NT is never even tried.
>
> Here's the snipped config file.  Any help is appreciated...
>
> ------
> <Realm DEFAULT>
>
> AuthByPolicy	ContinueWhileReject
>
> <AuthBy SQL>
> 	DBSource        dbi:mysql:radius:<blah>
>       DBUsername      radiator
>       DBAuth          <blah>
>
> 	# Just accounting, no auth
>
> 	IgnoreAuthentication
> 	AuthSelect
>
> 	AccountingTable	ACCOUNTING
> 	AcctColumnDef	<blah blah blah>
> 	AcctColumnDef	...
> </AuthBy>
>
> <AuthBy ADSI>
> 	[ ADSI config goes here, works fine ]
> </AuthBy>
>
> <AuthBy NT>
> 	[ NT domain config here, works fine ]
> </AuthBy>
>
> </Realm>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

-------------------------------------------------------

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list